Skip to content

Commit

Permalink
Add optional callback for signature verification (crewjam#237)
Browse files Browse the repository at this point in the history 
Fixes crewjam#234
  • Loading branch information
@joesiltberg @crewjam
joesiltberg authored and crewjam committed Dec 2, 2019
1 parent 1a36cc7 commit f367868
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions service_provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,14 @@ const (
PersistentNameIDFormat NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
)

// SignatureVerifier verifies a signature
//
// Can be implemented in order to override ServiceProvider's default
// way of verifying signatures.
type SignatureVerifier interface {
VerifySignature(validationContext *dsig.ValidationContext, el *etree.Element) error
}

// ServiceProvider implements SAML Service provider.
//
// In SAML, service providers delegate responsibility for identifying
Expand Down Expand Up @@ -86,6 +94,10 @@ type ServiceProvider struct {

// AllowIdpInitiated
AllowIDPInitiated bool

// SignatureVerifier, if non-nil, allows you to implement an alternative way
// to verify signatures.
SignatureVerifier SignatureVerifier
}

// MaxIssueDelay is the longest allowed time between when a SAML assertion is
Expand Down Expand Up @@ -770,6 +782,10 @@ func (sp *ServiceProvider) validateSignature(el *etree.Element) error {
return err
}

if sp.SignatureVerifier != nil {
return sp.SignatureVerifier.VerifySignature(validationContext, el)
}

_, err = validationContext.Validate(el)
return err
}
Expand Down

0 comments on commit f367868

Please sign in to comment.